Medical products. Software with increased requirements.
What are medical products? What norms must they comply with and how is compliance determined?
What are medical products? What norms must they comply with and how is compliance determined?
According to § 3 MPG Medical Product Law [Medizinproduktgesetz], medical devices are all instruments, apparatuses, devices, software,, substances and preparations made of substances or other objects used individually or in combination, including the software specifically intended by the manufacturer to be used for diagnostic or therapeutic purposes and used for the proper functioning of the medical device, which are intended by the manufacturer to be used for human beings by means of their functions to serve the following purposes:
In addition, the principle intended action of medical devices in or on the human body is not achieved by pharmacologically or immunologically active substances or by metabolism, but their mode of action may be assisted by such substances.
The European Medical Device Directive MDD (93/42/EEC of the Council), which will be replaced in 2020 by the Medical Device Regulation MDR (EU) 2017/745, is the overriding law for medical devices in Germany. It will apply from May 2021 without being incorporated into national law (the actual date in May 2020 had to be postponed due to the coronavirus). The MDR is considered to be a more restrictive version of the MDD because the requirements for clinical assessment will increase. However, the classification of products, essential requirements and conformity assessments will remain the same.
The Medical Devices Act (MPG) [Medizinproduktegesetz] is also to be replaced by a Medical Devices Implementation Act (MDG) [Medizinprodukte-Durchführungsgesetz]. Since August 2019, a law adusting for the EU medical device regulations mentioned exists as a draft bill (MPAnpG-EU – Medizinprodukte-EU-Anpassungsgesetz) describing these adjustments.
When is a medical device compliant with the regulations? When the manufacturer proves conformity with regulations through a conformity assessment procedure. The manufacturer must affix a CE mark to the product and notify the bodies designated by law that a medical device has been placed on the market. There is no approval or certification of medical devices in Europe. Consequently, it is much easier to bring medical devices to market in Europe than in the USA, for example. There the FDA (Food and Drug Administration) oversees the approval of food, drugs and medical devices. This U.S. authority actively investigates and undertakes rigorous enforcement.
2019 survey by the Association of German Chambers of Industry and Commerce (DIHK) and Medical Technology Industry Association SPECTARIS.
The Medical Product Law [Medizinproduktgesetz] in Germany is supplemented by the following regulations:
The MDD/MDR and the Medical Product Law [Medizinproduktegesetz] define basic requirements for the safety of medical products. These requirements regarding quality, risk, usability etc. are specified in so-called harmonized standards:
ISO 13485: Medical products – Quality management systems
ISO 14971: Application of risk management to medical products
IEC 62304: Medical device software: Software life cycle processes
IEC 62366: Application of usability to medical products
IEC 60601-1: Electrical medical devices
The application of these standards is not mandatory. However, if they are not applied, it must be proven by other means that the medical product meets the requirements. In the soon to be effective MDR, common specifications (CS) are also mentioned. This means that manufacturers will have to use further instruments of proof in the future.
There are several distinctions made for software in medical contexts:
The purpose as determined by the manufacturer is decisive here. However, because this regulation is a bit vague, the Medical Device Coordination Group (MDCG) has developed a new definition of Medical Device Software (MDSW). Software as a medical device is according to this definition both software that works independently and software that makes the device work or influences its use.
Medical products are divided into active implants (RL 90/385/EEC) e.g. pacemakers, in-vitro diagnostics (RL 98/79/EC) e.g. HIV tests and medical devices (RL 93/42/EEC) e.g. dialysis equipment. The latter are in turn classified according to risk.
Class I:Low risk, these are divided into two groups (sterile and with measuring function). Examples: medical apps, wheelchairs, glasses, thermometers, etc.
Class IIa: Medium risk. Examples: Dental fillings, X-ray films, hearing aids, ultrasound equipment etc.
Class IIb: High risk. Examples: Intraocular lenses, condoms, X-ray equipment, infusion pumps, etc.
Class III: Very high risk. Examples: Hip and knee joint replacements, heart catheters, breast implants etc.
Classification is based on whether the product is invasive, how and for how long it is used, whether it is an active product and whether it is used on vital organs. There are currently 18 rules for the assignment to classes. Rule 11 has so far resulted in stand-alone software falling into class I. However, in the MDR rule 11 for software was modified. When software is used for diagnostic or therapeutic purposes (and this is likely always to be the case), it will in future be assigned to Class IIb or even III, depending on the risk (death or irreversible change in health status).
Professor Christian Johner:
Norm IEC 62304 names five software life cycle processes:
The software development process is divided into eight sequential steps:
Depending which safety class the software falls under, different steps in the process must be executed and documented. IEC 62304 provides for three classes of software:
Class A Injuries or damage to health cannot occur through the use of the software.
Class B Serious injuries cannot occur by using the software.
Class C Injuries including death are possible as a result of using the software.
Since 2015 there is an addendum to the standard, in which software system tests are mandatory for all classes. As far as quality and risk management in software development is concerned, this standard refers to the respective specialized standards ISO 13485 and ISO 14971. For software maintenance there is a similar plan with eight steps.
The standard for quality assurance of medical devices ISO 13485 is in many parts identical with the widely known quality management standard ISO 9001. The central requirement is the documentation of all processes in a quality management manual. This document also provides the basis for proof of conformity. Four process groups are defined in ISO 13485:
Diese Prozesse sollen dazu führen, die Anforderungen für regulatorische Zwecke vollständig zu erfüllen. Die Norm zielt in erster Linie auf die Sicherheit der Medizinprodukte ab, während die ISO 9001 darauf ausgerichtet ist, dass Organisationen eine kontinuierliche Verbesserung anstreben.
These processes were created to ensure full compliance with the requirements for regulatory purposes. ISO 13485 is primarily aimed at the safety of medical devices, while ISO 9001 is designed to ensure that organizations strive for continuous improvement.
DIN ISO 14971 describes a risk management process for medical products. The aim is to minimize the risks for patients, users and third parties and to establish an acceptable risk-benefit ratio. The third edition of the standard, which will be published in 2019, emphasizes even more strongly that the benefits of a medical device must outweigh the risks. To this end, benefit was precisely redefined as:
positive effect or desirable outcome of the use of a medical device on the health of a person or positive impact on patient management or public health
Benefit is thus clearly defined as the medical benefit, not the economic benefit for the manufacturer.
The risk management process includes both risk analysis and risk management. This process is also divided into several steps: